SSH Tunneling/Port Forwarding to VMs

[benk]

Hey y'all,
I've recently deployed Proxmox 7.2 on a server. I'm very happy with the setup so far.
Now, to save IP adresses, I would like to add a port forwarding (first only SSH, port 22(?)) to each VM, connecting over the one server IP.

What I've got so far for the Proxmox server settings (etc/network/interface). This post helped.

auto vmbr0
iface vmbr0 inet static
        address A.A.A.A/xx
        gateway B.B.B.B
        bridge-ports eno1np0
        bridge-stp off
        bridge-fd 0

# Virtual Bridge 1 (local, virtual network)
auto vmbr1
iface vmbr1 inet static
    address 192.168.0.254
    netmask 255.255.255.0
    bridge_ports none
    bridge_stp off
    bridge_fd 0
    post-up echo 1 > /proc/sys/net/ipv4/ip_forward
    post-up iptables -t nat -A POSTROUTING -s '192.168.0.0/24' -o vmbr0 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -s '192.168.0.0/24' -o vmbr0 -j MASQUERADE



# SSH Port (22) Forwarding to VM Linux Server
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 22 -j DNAT --to 192.168.0.1:22
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 22 -j DNAT --to 192.168.0.1:22

Now on the VM (Linux Server), I've set it up in the following way:

# This is the network config written by 'subiquity'
network:
  bonds:
    bond0:
      interfaces: []
      parameters:
        mode: balance-rr
  ethernets:
    ens18:
      addresses:
      - 192.168.0.1/24
     gateway4: 255.255.255.0
      nameservers:
        addresses: 
       - 192.168.0.254
        search: []
  version: 2

Then I tried to SSH into the VM:
ssh -p 22 @A.A.A.A

However, I can't connect and get a timeout. Where am I wrong?

 

[benk]

Also, when I try to apply the VMs network settings, I get:

`gateway4` has been deprecated, use default routes instead.
    See the 'Default routes' section of the documentation for more details.

Can anyone help on that?

 

[B.Otto]

Hey y'all,
I've recently deployed Proxmox 7.2 on a server. I'm very happy with the setup so far.
Now, to save IP adresses, I would like to add a port forwarding (first only SSH, port 22(?)) to each VM, connecting over the one server IP.

What I've got so far for the Proxmox server settings (etc/network/interface). This post helped.

auto vmbr0
iface vmbr0 inet static
        address A.A.A.A/xx
        gateway B.B.B.B
        bridge-ports eno1np0
        bridge-stp off
        bridge-fd 0

# Virtual Bridge 1 (local, virtual network)
auto vmbr1
iface vmbr1 inet static
    address 192.168.0.254
    netmask 255.255.255.0
    bridge_ports none
    bridge_stp off
    bridge_fd 0
    post-up echo 1 > /proc/sys/net/ipv4/ip_forward
    post-up iptables -t nat -A POSTROUTING -s '192.168.0.0/24' -o vmbr0 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -s '192.168.0.0/24' -o vmbr0 -j MASQUERADE



# SSH Port (22) Forwarding to VM Linux Server
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 22 -j DNAT --to 192.168.0.1:22
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 22 -j DNAT --to 192.168.0.1:22

Now on the VM (Linux Server), I've set it up in the following way:

# This is the network config written by 'subiquity'
network:
  bonds:
    bond0:
      interfaces: []
      parameters:
        mode: balance-rr
  ethernets:
    ens18:
      addresses:
      - 192.168.0.1/24
     gateway4: 255.255.255.0
      nameservers:
        addresses:
       - 192.168.0.254
        search: []
  version: 2

Then I tried to SSH into the VM:
ssh -p 22 @A.A.A.A

However, I can't connect and get a timeout. Where am I wrong?

I dont think the Gateway is right, that looks like a Subnetmask. According to the config of your PVE host I guess you should set it to **192.168.0.254**.

 

[B.Otto]

Also, when I try to apply the VMs network settings, I get:

`gateway4` has been deprecated, use default routes instead.
    See the 'Default routes' section of the documentation for more details.

Can anyone help on that?

Using 'gateway4' in netplan is now deprecated, the new way to do it is by adding a default route. Change

ethernets: ens18: addresses: - 192.168.0.1/24 gateway4: 192.168.0.254 nameservers: addresses: - 192.168.0.254 search: []

to

ethernets: ens18: addresses: - 192.168.0.1/24 routes: - to: default via: gateway4: 192.168.0.254 nameservers: addresses: - 192.168.0.254 search: []

I have already changed the gateway to 192.168.0.254 in the example.

 

[benk]

Thank you Benedikt!
I have added the default routing (see picture below).


I also changed the port forwarding from 22 to 2222 (otherwise the server SSH was blocked).

# SSH Port Forwarding to VM Linux Server
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 2222 -j DNAT --to 192.168.0.2:22
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 2222 -j DNAT --to 192.168.0.2:22

When I look at the networking devices, I cannot activate bridge vmbr1

14: vmbr1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether ae:04:b7:7e:3a:62 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.254/24 scope global vmbr1
       valid_lft forever preferred_lft forever

An ifup vmbr1 is not changing anything.


Also, I'm not so clear how to tunnel into the VM now. The command ssh root@A.A.A.A -L 2222:192.168.0.2:22 only brings me into the server.
Any help on that?

 

[B.Otto]

I dont have an idea why the vmbr1 bridge does not get UP though, the configuration looks okay for me.

I think the '-L' flag refers to the listen-port, not the remote-port. The command 'ssh -p 2222 <external-ip>' should work.
I am also wondering whether you need a reverse SNAT rule, similar to the one that Richard posted in your linked thread:

iptables -t nat -A POSTROUTING -p tcp --sport 80 -s 192.168.1.10 -j SNAT --to-source 213.214.215.216:8188

In any case, this does not explain the vmbr1 down though.

 

[benk]

Hey Benedikt,
thank you again for your answer. It's really weired that the vmbr1 would not go up. I will first try to solve that problem. Any help is apprechiated.